COMP 527 Final Project Proposal
Wei-Cheng Xiao and Lei Tang
Abstract—The packets in a mobile wireless ad-hoc network
(MANET) are vulnerable to various packet-dropping attacks.
Due to the lack of a centralized monitoring mechanism, it is
a challenging problem to identify the attackers that launch the
packet-dropping attacks in MANET. The existing DoS defensive
techniques have not provided a scheme to efficiently and effectively solve this challenging problem. Hence we present a scheme,
called CATCH, which constructs cryptographically-verifiable
proofs for packet transmissions and identify the attackers by
systematically investigating the packet transmission proofs from
the nodes on a route. CATCH is a distributed scheme and a
node maintains the packet-dropping metric for every node to
which it has forwarded packets. The packet-dropping metric
is computed based on the past packet forwarding history and
provides an important information for a node to evaluate the
reliability of a node in forwarding packets. We plan to evaluate
CATCH by measuring its accuracy and latency of identifying
malicious packet droppers in simulated wireless ad-hoc networks
using ns-2 network simulator.
I. I NTRODUCTION
Wireless ad-hoc networks (MANETs) have many applications, such as providing communication among a disaster relief
team deployed to a place without a network infrastructure. In a
MANET, a packet may traverse multiple hops until reaching its
destination, making it vulnerable to various packet-dropping
attacks. The packet droppers can censor the packets forwarded
to them and drop the packets based on the packet content, or
selectively drop the packets [1] based on the source and the
destination of the packets.
Due to the lack of a centralized packet transmission monitoring mechanism and a reliable network infrastructure to
support global monitoring, it is a challenging problem to
identify malicious packet droppers. For instance, a malicious
packet dropper may claim that it has transmitted all packets
forwarded to it while its downstream node receives none of
these packets. A malicious packet dropper may also drop
the acknowledgment packet for a packet received by the
destination, causing the source to resend the packet. It is
difficult for the source to identify which node on the route
to the destination is a malicious dropper as every one of them
can be a malicious node. Furthermore, wireless transmissions
may fail due to the node mobility and poor channel condition,
which adds to the difficulty of identifying the malicious nodes.
The existing DoS defensive techniques have not provided
a scheme that can efficiently and effectively solve this challenging problem. The gray hole detection scheme in [1] relies
on the cooperative nodes and probe packets to check whether
a node is launching packet dropping attacks. The probe
packets incur extra overhead and the results from cooperative
nodes may not be trustworthy. The scheme in [2] utilizes the
acknowledgment packets to detect the packet droppers under
the assumption that the malicious packet droppers will not
drop acknowledgment packets. A malicious node in wireless
network may drop all types of packets, rendering this scheme
less effective in real networks.
We present a scheme, called CATCH, which constructs
cryptographically-verifiable proofs for packet transmissions
and identify the packet-dropping attackers by systematically
investigating the packet transmission proofs from the nodes on
a route. CATCH requires a node to provide a proof for every
packet it forwarded. CATCH is a distributed scheme and a
node maintains the packet-dropping metric for every node to
which it has forwarded packets. The packet-dropping metric
is computed based on the past packet forwarding history and
provides an important information for a node to evaluate the
reliability of a node in forwarding packets. As it is impossible
to tell the difference between a malicious packet forwarder
dropping a packet or the packet being lost due to wireless
transmission errors, a node can also be regarded as having
a high packet-dropping metric by other nodes if it has bad
wireless connections to other nodes.
CATCH provides a very useful information for MANET
applications. The wireless transmission will have a higher
delivery ratio by precluding the nodes with high packetdropping metrics. With the knowledge of the packet-dropping
metric of the nodes in the network, a routing protocol will
be able to design better routes to avoid packet droppers. A
malicious packet dropper will cause much less damages to the
network communications after it is identified by other nodes
as having a high packet-dropping metric.
We plan to evaluate CATCH by measuring its accuracy and
latency of identifying malicious packet droppers in simulated
wireless ad-hoc networks using ns-2 network simulator.
II. R ELATED W ORK
This section we review the existing work on detecting and
defending the packet dropping attacks.
The scheme in [1] relies on probe packets and the cooperative nodes to detect whether a node is launching gray hole
attack by selectively dropping packets. If the packet initiator
finds that a packet sent to a cooperative node is not received
by the cooperative node, the packet initiator increases the
suspicion value of the node checked. The first problem of
this scheme is that the cooperative nodes may be malicious
and send bogus probe packet reception information to the
packet initiator. Another problem is that sending probe packets
consumes wireless network bandwidth and the packet dropper
may forward the probe packets while selectively dropping the
data packets from the initiator.
The scheme in [2] utilizes the acknowledgment packets
to detect the packet droppers under the assumption that the
malicious packet droppers will not drop acknowledgment
packets. A malicious node in wireless network may drop all
types of packets, rendering this scheme less effective in real
networks. In addition, this scheme forms different groups on
a route and the ACK packets transmitted among the groups
incurs extra messaging overhead.
The REAct system [3] tries to identify individual malicious
nodes who conduct packet drop attacks. In REAct, when a
significant packet drop ratio is detected, packet drop ratio, the
source node would cast a random audit request to ask for
a behavioral proof of successful packet reception. Through
this mechanism, malicious nodes are identified by the proofs
provided by honest nodes. However, it assumes that there exist
at least two independent paths between any pair of nodes in
the network, and that a source node shares pairwise secret
keys with the nodes in the source-destination node path. These
assumptions would introduce high overhead when the network
size gets large and not feasible in real network. In addition,
REAct cannot detect colluding attackers while our detection
system works no matter the attackers are colluding or not.
III. M ETHODOLOGY
In our proposed scheme, detection of packet dropping is
performed by the source node of each active route in the
network. An active route is a path in use by a sourcedestination pair. For every node in the path, on receiving
a packet, the node would send back an ACK (MAC layer)
back to the previous hop. This ACK includes the node’s
signature so that the ACK is considered to be unforgeable.
The previous hop keeps this ACK as a proof of its successful
packet forwarding and saves it for later investigation from the
source node, if the source node fails to receive an ACK for
the data packet sent to the destination. Once the destination
node receives a packet, it would send an ACK for the data
packet to the source node via the reverse route. This ACK is
also digitally signed by the destination and cannot be forged.
Every node in the path receiving this ACK would also keep
it as a proof. If the source does not receive the ACK in a
given amount of time, it considers a packet/ACK loss event has
occurred. If packet loss events happen too often, i.e., higher
than a threshold, an investigation would be held by the source
node to find out where the packets are lost/dropped. Later in
this section, we will describe details of the investigation. Here
we make the following assumptions in our work:
•
•
In the network, packet transmission and forwarding is
based on source routing. We will be using DSR as the
routing protocol in this work; however, any source routing
protocol would be compatible to our scheme.
We assume all links in the network are symmetric; that
is, node A can hear node B implies node B can hear node
A.
A. Investigation
Based on the number of data packets generated and the
number of ACKs it receives, a source node can detect whether
the packet loss rate is higher than a threshold. If so, it would
hold an investigation to find out where the packets are dropped
or lost, and then the nodes near the drop point would be
regarded as bad or malicious nodes. In the investigation, the
source node asks every node in the path to provide evidences
of the reception of ACKs both from their previous hops and
the destination. Based on these evidences, the source node can
narrow down the scope of suspects to two nodes. For instance,
node S sends packets to the destination node D, and these
packets are forwarded by A, B, and C in order. If a packet
is lost and A provides the proof of receiving an ACK (MAC
layer) from B but B cannot provide any proof, then S would
consider that the packet is lost/dropped between B and C. With
the same logic, if an ACK (Transport layer) is dropped, S can
also find out the suspects.
B. The packet-dropping metric
In addition to the investigation scheme, a packet-dropping
metric helps a source node to make judgment of nodes’
“goodness” more accurately and fairly. A source node builds
the metrics of the nodes in its paths. Whenever a node is
considered to have lost or dropped a packet or ACK, its packetdropping metric would be incremented. On the other hand, on
successful packet/ACK transmission, all the nodes in the path
would get their metrics decrease. A node with high packetdropping metric would be considered as a malicious node or
bad node, i.e., a node running out of power or getting high
interference nearby. If possible, a source node would not select
a node with high metric when deciding the route. We do not
give the details of packet-dropping metric management here
but the concept only. Details will be described in the final
report. Note that a node only keeps the metrics of other nodes
internally; that is, no metric information is shared among
different nodes.
C. System Environment and Performance Evaluation
We will be implementing our work and evaluate the performance in the network simulator ns-2, which provides us the
DSR routing protocol and it simplifies our work. Even though,
we have to add the packet-dropping metric information as well
as notification mechanism on missing packets or ACKs into
DSR for route selection. We will be using different kinds of
mobility model in ns-2 to test how our system performs under
node mobility. We will also evaluate the overall performance
from different aspects, including the overhead of notification
messages and the false positive rate and false negative rate of
malicious node detection.
IV. E XPECTED C ONTRIBUTION
Our work pursues to narrow down the scope of possible
malicious nodes in malicious node detection and get high
successful detection rates when multiple active routes exist in
the network at the same time. We will also leverage the packetdropping metrics to track historical behavior of the nodes
and hopefully get more accurate results. Through performance
evaluation, we are going to demonstrate that our system can
detect malicious or bad nodes in MANET with reasonable
overhead and good accuracy, in terms of false positive rates
and false negative rates. Furthermore, our detection mechanism can help source nodes in MANET choose better routes
by avoiding malicious nodes or nodes with low power or bad
link quality or communication environments.
V. E XPECTED P ROJECT S CHEDULE
Expected progress
Come up with all the details of our system
design and write them down in the report
Nov. 5 Finish the implementation of our system in
ns-2
Nov. 9 Finish simple tests and debugging in our
implementation
Nov. 16 Finish performance evaluation of our system
under specific mobility model and parameters
Nov. 26 Try different parameters and mobility models
and finish more performance analysis
Nov. 29 Finish the final report and preparation for
presentation
Date
Oct. 26
R EFERENCES
[1] J. Sen, M. G. Chandra, H. S.G., H. Reddy, and P. Balamuralidhar, “A
mechanism for detection of gray hole attack in mobile ad hoc networks,”
in Proceedings of 6th International Conference on Information, Communications and Signal Processing 2007, Dec. 2007.
[2] A. S. A. Ukey and M. Chawla, “Detection of packet dropping attack using
improved acknowledgement based scheme in manet,” IJCSI International
Journal of Computer Science Issues, vol. 7, no. 1, pp. 12–17, 2010.
[3] W. Kozma and L. Lazos, “REAct: resource-efficient accountability for
nodemisbehavior in ad hoc networks based on random audits,” in Proceedings of the second ACM conference on Wireless network security.
ACM, 2009, pp. 103–110.